doc: add additional puppetmasters
This commit is contained in:
parent
ae6547aea8
commit
40c4be6f6e
31
doc/puppet/setup.md
Normal file
31
doc/puppet/setup.md
Normal file
@ -0,0 +1,31 @@
|
||||
# add additional master
|
||||
|
||||
these steps are required when adding additional puppet masters, as the subject alternative names on the certificate will need to be changed. this requires the old certificate be revoked, cleaned up, and for a new certificate to be generated and signed.
|
||||
|
||||
## prepare a new node
|
||||
- deploy a new now, or identify a space with the base role
|
||||
- change the hosts class to roles::infra::puppet::master
|
||||
- apply puppet until there are no more changes
|
||||
|
||||
## revoke the current certificate on the puppet master
|
||||
|
||||
sudo puppetserver ca clean --certname ausyd1nxvm1023.main.unkin.net
|
||||
|
||||
## stop the new puppetserver and cleanup revoked certificates
|
||||
|
||||
sudo systemctl stop puppetserver
|
||||
sudo rm -f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem
|
||||
sudo rm -f /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem
|
||||
|
||||
## copy the current crl.pem, as puppetserver will overwrite it when starting
|
||||
|
||||
sudo cp /etc/puppetlabs/puppet/ssl/crl.pem /root/current_crl.pem
|
||||
|
||||
## request new puppet agent certificate
|
||||
|
||||
sudo puppet ssl bootstrap
|
||||
|
||||
## start the puppetserver service and move the crl.pem back in place
|
||||
|
||||
sudo systemctl start puppetserver
|
||||
sudo cp /root/current_crl.pem /etc/puppetlabs/puppet/ssl/crl.pem
|
||||
Loading…
Reference in New Issue
Block a user